cbcvebase.
CVE-2024-24496
published 2024-02-08

CVE-2024-24496: An issue in Daily Habit Tracker v.1.0 allows a remote attacker to manipulate trackers via the home.php, add-tracker.php, delete-tracker.php, update-tracker.php…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.50%
97.0th percentile
An issue in Daily Habit Tracker v.1.0 allows a remote attacker to manipulate trackers via the home.php, add-tracker.php, delete-tracker.php, update-tracker.php components.

Affected

1 ranges
VendorProductVersion rangeFixed in
remyandradedaily_habit_tracker

Detection & IOCsextracted from sources · hover to see the quote

path/habit-tracker/endpoint/add-tracker.php
path/habit-tracker/endpoint/update-tracker.php
path/habit-tracker/endpoint/delete-tracker.php
path/habit-tracker/home.php
commandPOST /habit-tracker/endpoint/add-tracker.php HTTP/1.1 date=1443-01-02&day=Monday&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes
commandGET /habit-tracker/endpoint/delete-tracker.php?tracker=5
  • Detect unauthenticated POST requests to add-tracker.php and update-tracker.php endpoints — no session/auth cookie present in the request headers.
  • Alert on GET requests to delete-tracker.php with a numeric 'tracker' parameter from unauthenticated sessions, indicating unauthorized deletion attempts.
  • Monitor for direct navigation to home.php without a preceding authenticated session, as the application performs no authentication check on this page.
  • Flag POST requests to /habit-tracker/endpoint/ paths where the Referer header is set to home.php but no valid session token is present — consistent with PoC exploit pattern.
  • ·The exploit targets Daily Habit Tracker version 1.0 specifically; the vulnerable endpoints are under the /habit-tracker/endpoint/ path, which may differ if the application is installed in a non-default directory.
  • ·All four components (home.php, add-tracker.php, delete-tracker.php, update-tracker.php) lack authentication checks independently, meaning partial patching of only some endpoints leaves the application still exploitable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.